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Starting from Barnum's recent proposal to use en- 
tanglement and ca talysis for quantum secure identification 
[luant-ph/9910071-], we describe a protocol for quantum au- 
thentication and authenticated quantum key distribution. We 
argue that our scheme is secure even in the presence of an 
eavesdropper who has complete control over both classical 
and quantum channels. 



Since the publication of the BB84 protocol |BB[ , 
quantum key distribution has developed into a well- 
understood application of quantum mechanics to cryp- 
tography. Typically, quantum key distribution schemes 
depend either on an unjammable classical communication 
channel or on authentication of the classical communica- 
tion by classical methods. Comparatively little work has 
been done on the problem of quantum authentication and 
authenticated quantum key distribution. 

Some existing quantum authentication proposals are 
variations of the BB84 protocol JC^HIB| i plTHM[ . These 
proposals either require an unjammable classical channel, 
or authentication of the classica l comm unication using 
classic al cr yptographic methods [DHHM|. An early pro- 
posal | CS uses quantum oblivious transfer, which has 
since been sho wn to be insecure [y . Some recent propos- 
als g||,|G are based on entanglement. A very inter- 
esting protocol of this type is due to Howard Barnum (b) . 
In his protocol, the parties use a shared entangled pair of 
particles as a catalyst [JP1] to perform a quantum oper- 
ation which would be impossible without the catalyst. In 
its original form, how ever , Barnum's protocol has been 
shown to be insecure [BK|. 

In this paper, we describe a protocol derived from Bar- 
num's protocol which appears to be secure against a wide 
range of eavesdropping attacks. In a simplified version of 
our protocol, the two parties, Alice and Bob, initially 
share K particle pairs in an entangled state \c) (the key 
or catalyst). Assume Alice wants to identify herself to 
Bob. Bob then prepares K pairs of particles in an en- 
tangled state \b) and sends one parti cle fro m each pair to 
Alice (the challenge). It is possible [SJNP] to choose the 
states \c) and \b) such that by using only local operations 
and classical communication (LQCC), Alice and Bob can 
convert the four-particle state \b)\c) into the four-particle 
state |c)|c), but by using only LQCC, the two-particle 
state | b) cannot be converted into the two-particle state 
| c) de tcrministically. The state |c) thus acts as a catalyst 
[ IP1 | for the conversion of \b) into |c). 



Using a different catalyst for each pair of challenge 
particles, Alice and Bob perform LQCC to convert all 
K challenge pairs to the state |c). Bob now selects a 
number K' of his challenge particles and asks Alice to 
send back her corresponding challenge particles (her re- 
sponse). For each of the K' challenge pairs now in his 
possession, Bob makes a projective measurement onto 
the state |c). An eavesdropper, Eve, pretending to be Al- 
ice, would not have had access to the catalyst |c), so Eve 
and Bob would not have been able to convert all their 
challenge particles to the state |c), and therefore some 
of Bob's test measurements would fail. Below we will 
derive an upper bound po for the probability p that an 
eavesdropper remains undetected in a single such mea- 
surement. The overall probability of not detecting an 
eavesdropper is bounded above by Pq and can be made 
arbitrarily small by choosing K' large enough. 

After a successful authentication, Alice and Bob share 
2(K — K') catalyst pairs, since the protocol requires that 
they destroy the catalyst pairs used in the conversion 
of the K' tested challenge pairs. If K > 2K', they now 
share more key particles than before. Our authentication 
protocol thus also provides authenticated quantum key 
distribution. 

The simplified version of our protocol just given is not 
secure. Below, we first describe a full version of the pro- 
tocol, and then we discuss a number of eavesdropping 
attacks against it which we believe are the most pow- 
erful such attacks. We will argue that our protocol is 
secure even in the presence of an eavesdropper with full 
control over both classical and quantum communication 
channels; we do not, however, give a full security proof. 
In our analysis, we assume that all quantum operations 
are error-free and that the quantum channel is noiseless. 

Choice of states. Consider bipartite states \b) = 
Dfc=i Vh\k)\k) and |c) = Ysk=i \/ck I wnere tne 
states \k) are orthonormal basis states for one particle. 
If b\ > • • • > b n and c\ > • • • > c n , then b^ and Ck are 
called the ordered Schmidt coefficients of the states \b) 
and |c). The state \b) can be converted deterministically 
into |c) using only LQCC iff the ordered Schmidt coeffi- 
cients of the target state |c) majorize those of the initial 

state \b) 0, i.e., iff Vfc : Yli=i °i — J2i=i ^ with equality 
for k = n. O therwise, only a probabilistic conversion is 
possible |JP|,[V|]. 

States with the properties required for our protocol 
exist for n = 5 |S JNP| . For n < 4, the protocol needs 
to be modified to use probabilistic entanglement-assisted 
conversion [JP2|. Our choice of Schmidt coefficients for 
1 6) and \c) is b x = b 2 = 0.31, b 3 = 0.30, b 4 = b 5 = 
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0.04, a = 0.48, c 2 = 0.24, c 3 = c 4 = 0.14, c 5 = 0. 
With this choice, the conversion of |6) into |c) can be 
done only with probability P(b — > c) ~ 0.572, but the 
ordered Schmidt coefficients of the tensor-product state 
\c)\c) majorize those of the state |6)|c), so the latter can 
be converted into the former deterministically. 

Even though the exact conversion \ b) — ► |c) can only be 
done with probability 0.572, it is possible to convert \b) 
to pure or mixed states p close to \c) with much higher 
probability (we say that p is close to |c) if the fidelity 
F = (c\ p\c) i s close to 1). By applying a theorem given 
in Ref. [VJN], it can be seen that the average fidelity for 
the conversion \b) — > |c) is bounded above as 



(c\ P \c) < po - 0.9907 , 



(1) 



where p is now the average state resulting from the con- 
version. The theorem also shows that the maximum av- 
erage fidelity F — po is achieved by a pure state |£ c ) to 
which | b) can be converted deterministically. 

Overview of the full protocol. The main difference 
between the simplified version of the authentication pro- 
tocol given above and the full version is that the latter 
is symmetric. In an authentication round, Alice and Bob 
each establish the identity of the other part. 

One round of the protocol consists of Alice and Bob 
each preparing K particle pairs in state \b). Bob sends 
one particle of each of his pairs to Alice; for these pairs, 
Alice is called the prover and Bob the verifier. Likewise, 
Alice sends one particle of each of her pairs to Bob; for 
these pairs, she is the prover and he the verifier. Us- 
ing a different catalyst for each pair, Alice and Bob now 
convert each of the \b) states to a |c) state. Each of the 
two asks the other to send back K' (K' < K/2) of the 
new particles for testing; they abort the protocol if they 
detect any particle pair not in the \c) state. 

Eve, who does not initially share any entanglement 
with Alice and Bob, cannot impersonate one of them 
to the other. For a successful attack, Eve must there- 
fore first obtain shared entanglement with Alice and Bob. 
Below, after describing the protocol in detail, we discuss 
its security against a number of attacks, where Eve has 
full control over both the quantum and classical commu- 
nication channels (such attacks are called "man-in-the- 
middle" attacks). 

The key. Before the first authentication round, we shall 
assume that Alice and Bob share 2K particle pairs pre- 
pared in the state \c): these are the catalysts, and to- 
gether they form the key. With each successful authenti- 
cation round, the number of key pairs increases. In each 
round, the key particles used are labeled 7^ and j B , re- 
spectively, where i = 1,...,2K, and the state of each 
pair 7^7^ is |c). 

Detailed description. An authentication round con- 
sists of the following steps. 

1. Bob prepares K particle pairs f3 A (3 B in state \b), where 
i is odd, and sends (3\ to Alice. These are Bob's chal- 
lenges. Likewise, Alice prepares K pairs (3 A (3 B m state 



\b) for i even, and sends (3 B to Bob. Thus, for odd in- 
dices, Bob will be the verifier; Alice will be the verifier 
for even indices. 

2. For each i, Alice and Bob perform the deterministic 
catalysis conversion \b)\c) — ► l c )l c )7 where Alice per- 
forms local operations on her particles j A and j3 l A and 
Bob performs lo cal operations on his particles j B and 
(3 B Q. We can LP] and do require that only the ver- 
ifier performs both unitary transformations and gener- 
alized measurements; the prover performs only unitary 
transformations depending on the result of the verifier's 
measurements, which are communicated classically. 

3. Alice picks randomly a subset Qa Q {2,4,..., 2K } of 
size K' of particles for which she is the verifier, and Bob 
does likewise for a subset Q B C {1,3,..., 2K — 1} of size 
K' for which he is the verifier. Bob as verifier now asks 
Alice to send back her response /3 A for some i S Qb- Bob 
measures the projector |c)(c| on the particle pair (3 A (3 l B . 
If the measurement fails, he aborts the protocol. Then 
Alice becomes the verifier, asks Bob to send (3 B for some 
i € Qa and tests it likewise. They continue taking turns 
as prover and verifier until they have exhausted the sets 
Qa and Q B . At the end of this step, they discard the 
catalysts 7^7^ for i S Qa U Qb- 

4. The authentication fails if any of the projective mea- 
surements in the previous step fails, or if Alice or Bob 
receive more than K' requests to send back challenge 
particles. 

5. If the authentication round succeeds, Alice and Bob 
are left with 2{K — K') pairs 7^7^ and 2{K — K') pairs 
PaPbi i- e -> they now have 2K — AK' additional pairs in 
the catalyst state |c). The 2K + n(2K - AK') they share 
after the nth successful round are now renamed 7^7^ in 
random order, i.e., with the indices j permuted using a 
pseudo-random number generator. 

Remark. If the authentication fails, the parties discard 
all particles used till that point, including both the orig- 
inal key and all new key pairs generated. In this case, 
Alice and Bob have to start again with a new key. There- 
fore, in practice they should initially share several sets of 
2K key pairs. 

Security and attacks. We now dicuss the security of 
our protocol against a number of attacks. We start with 
two simple attacks, impersonation and denial of service, 
and then move on to more powerful "man-in-the-middlc" 
attacks. 

Impersonation. Suppose that Alice is not present and 
Eve tries to persuade Bob that she is Alice. When Bob 
sends out a challenge particle, Eve intercepts it. We 
therefore label it [3e rather than (3 A , omitting the index i 
for clarity. Eve must now perform local operations on (3e 
such that a later measurement by Bob on the pair PePb 
will fail with the smallest possible probability. If p is the 
average state of the pair PePb resulting from Eve's and 
Bob's operations, then the probability that Bob's mea- 
surement succeeds is given by the fidelity (c|p|c). Since 
Eve does not have the catalyst particle "/a paired with 
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the particle 75 that Bob will use, the conversion is not as- 
sisted by any entanglement. The fidelity (c|p|c) is there- 
fore bounded above by p < 1 [see Eq. (ffl)]. Since in one 
authentication round, Bob makes K' such measurements, 
the probability of not detecting Eve is bounded above by 
Pq , which can be made arbitrarily small by choosing K' 
large enough. 

Denial of service. In this type of attack, Eve deliber- 
ately causes the authentication round to fail, and hence 
causes one party to discard all key particles. Although 
our protocol in its present form is particularly vulnerable 
to this kind of attack, this is not an essential weakness 
since an attacker who controls both quantum and classi- 
cal communication can always prevent successful authen- 
tications between the legitimate parties. 

Man in the middle. We now look at stronger attacks 
in which Eve tries to obtain key material which she could 
then use, e.g., in a later impersonation attack. Eve's goal 
is to share pairs of particles in the catalyst state |c) with 
Alice and/or Bob. For instance, if she succeeds in ob- 
taining a large amount of key material shared with Bob, 
she will be able to authenticate herself to Bob without 
Alice being present. Eve's ability to obtain key mate- 
rial is limited by the fact that if her presence is detected 
in a single measurement, all the previously obtained key 
material she shares with the verifier who performed that 
measurement will become worthless. 

We will distinguish between two kinds of attacks. In a 
type I attack, Eve does not intercept the challenge particle 
when it is sent from the verifier to the prover. In a type 
II attack, she intercepts the challenge particle and sends 
another particle on to the prover. Since the protocol is 
symmetric, we will assume in the following that Alice is 
the prover and Bob the verifier. 

Type I attack. By definition, in a type I attack, Bob 
sends the challenge particle (3\ to Alice without Eve in- 
terfering. Assume now that Bob sends out a request for 
a response particle. Eve has three options. In option 1, 
she passes the request on to Alice, then she passes Al- 
ice's response particle f3 A on to Bob. Eve's presence will 
not be detected, but she does not obtain any key ma- 
terial either. In option 2, Eve passes the request on to 
Alice, then intercepts Alice's particle and sends another 
particle on to Bob. Eve does not gain anything, because 
both Alice and Bob are going to discard their respective 
particles. In addition, Eve risks detection with nonzero 
probability. 

Option 3 is the interesting one. Here, Eve does not 
pass Bob's request on to Alice. Instead she prepares a 
pair of particles a e and as in a state of her choice and 
sends as to Bob. Then she asks Alice to send back the 
particle f3 l A 2 , which is the next one for which Bob is the 
verifier. Since the pair (3 l A 2 ' (S 1 ^ 2 is in the state |c), Eve 
now shares a perfect catalyst pair with Bob (assuming 
that i 4- 2 ^ Qb)- Bob's measurement on the pair aB(3 B , 
however, is going to detect her with a probability not less 
than 1— pa. In the case that Bob's measurement does not 



detect her, we assume for our security analysis that, after 
the measurement, the pair ole(3\ shared between Alice 
and Eve is in state |c), which is probably too strong an 
assumption. There is an additional risk of detection for 
Eve in the next authentication round since, when Alice 
and Bob relabel their particles in step 5 of the protocol, 
there will be a j such that 7^ is not entangled with r f B . 

Even if Bob does not ask for a response particle, Eve 
may still send a request to Alice, so that again she ob- 
tains a perfect catalyst pair with Bob. However, since 
Alice will abort the protocol if she receives more than 
K' requests to send back a response particle, Eve cannot 
request a particle from her without also at some time 
during the round sending a corresponding response par- 
ticle to Bob. Therefore, Eve cannot avoid being detected 
with a probability of at least 1 — po for each key particle 
she obtains in this way. 

Type II attack. We now assume that Eve intercepts 
the challenge particle (3a sent out by Bob. As before, 
because Eve now owns that particle, we will label it (3e- 
The pair (3ePb is in state \b). Eve then prepares two 
particles olaole in a state |a) of her choice, keeps ctE and 
sends a a to Alice. 

Unaware of Eve's presence, Bob now goes through the 
catalysis protocol with his particles (3b and 73, where 
7s is entangled with Alice's particle 7^. Bob sends out 
the results of his generalized measurements, which Eve 
intercepts. Bob's two particles 73 and /3b are now in the 
state 

PibPb = tejA/3 A (PjAjB ® PPaPb) = tr 7A /3 A ( I cc)(cc|) . (2) 

This state is independent of Alice's and Eve's actions and 
has no entanglement between the two particles. 

At this point, there are three different cases. In the 
first case, Bob does not request a response particle; Eve 
thus does not risk being detected. She now shares entan- 
gled states with both Alice and Bob. She can perform 
arbitrary unitary or nonunitary local operations on her 
particles ole and (3e, and she can send fake measurement 
information to Alice in order to influence Alice's unitary 
operations. For our security analysis, we assume that this 
enables her to bring both pairs cxaole and (3e(3b into the 
catalyst state |c), although it follows from the analysis of 
case 2 below that she cannot reach this goal completely. 
Eve may also ask Alice to send particle back to her, 
but generally, Eve will not gain anything from this. 

In the second case, Bob requests a response particle, 
and Eve sends him her particle [3e- We will now show 
that the fidelity between the target state |c) and the 
state P/3 E /3 B on which Bob performs his measurement is 
bounded above by (c\pp E f3 B |c) < po, which implies that 
Bob's measurement fails with probability > 1 — po- 

The reason is that even if Bob collaborated with Eve 
on maximizing the fidelity, they could only use LQCC in 
the conversion; it would not be assisted by any entangle- 
ment. Since Alice performs only unitary transformations, 
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but no measurements, on her particles "/a and a a, no en- 
tanglement is created between ue and 73, which could 
assist Eve and Bob in their task. 

As in the first case, for our security analysis we will 
assume that if Eve remains undetected, she shares pairs 
in the catalyst state with both Alice and Bob. Eve can 
get close to this goal by performing a type I attack against 
Alice leading to a perfect catalyst pair shared with Bob. 
Eve can do this because she has not passed Bob's earlier 
request on to Alice. 

In the third case, Bob also requests a response particle, 
but this time Eve passes his request on to Alice and inter- 
cepts Alice's response a a- Eve then performs arbitrary 
operations on the three particles now in her possession, 
a a, ole and (3e- Then she sends one particle on to Bob. 
We label this particle $e- 

We now assume that Eve does not use any entangle- 
ment to assist her in the conversion of the (3 particles, 
which means that the fidelity between the target state 
|c) and the state Pp E p B on which Bob performs his mea- 
surement is bounded above by (c\pp E p g \c) < pq. This 
implies again that Bob's measurement fails with proba- 
bility > 1 — Pq . 

The above assumption is rather strong, but partially 
justified by the fact that there is a conflict of interest 
for Eve: if Bob does not request a response particle, Eve 
wants the a particles to be in the pure |c) state, in which 
case they are not entangled with any other particle. For 
a full analysis of this conflict of interest, one needs to 
analyse the set of unitary transformations Alice is allowed 
to perform under the protocol. 

Unlike the first and second cases, if Bob's measurement 
does not fail, Eve will not share entanglement with cither 
Alice or Bob, since they discard their respective particles. 

To evaluate the overall security of the protocol against 
a type II attack, we now assume that Eve attacks L par- 
ticle pairs. Since Alice and Bob check a random fraction 
K'/K of these pairs, the probability that Eve remains 

undetected is approximately bounded above by pg K l K — 
the bound becomes exact in the limit of large K and K' . 
If Eve is not detected, the fraction e of key pairs she 
shares with Alice and Bob is not greater than L/K . The 
probability p(e) that Eve obtains a fraction e undetected 
is therefore bounded above by Pq K . The security of the 
protocol against a type II attack then follows from the 
fact that, for any e > 0, Alice and Bob can make p(e) 
arbitrarily small by choosing K and K' sufficiently large. 

Similarly, the protocol is secure against a type I attack 
because the probability that Eve remains undetected in 
a type I attack against L particle pairs is bounded above 

Conclusions and outlook. The quantum authentica- 
tion protocol described above appears to be secure even 
in the presence of an eavesdropper who has complete 
control over both classical and quantum communication 
channels at all times. Our protocol does not rely on clas- 
sical cryptography. Furthermore, the security of the pro- 



tocol does not depend on keeping classical information 
secret, including information about quantum states: all 
parties, including the eavesdropper, have full information 
about all aspects of the protocol. In each authentication 
round, additional quantum key particles are distributed 
securely. Combined with entangl ement pur ification and 
privacy amplification techniques [ DE JMP"s| , our proto- 
col therefore also provides authenticated quantum key 
distribution. 

There is a number of important open questions which 
we plan to address in the future. Most importantly, we 
need to analyse the protocol in the presence of noise and 
for more subtle eavesdropping attempts such as coherent 
attacks, or an attack in which Eve partially entangles the 
challenge with an ancillary particle. Furthermore, there 
is scope for improving the protocol in several respects. 
For instance, the parties should not have to discard all 
key pairs if a single measurement fails. It should also be 
possible to find states with a lower fidelity bound pg, e.g., 
by going to a higher-dimensional Hilbert space. 
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